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We study the problem of automatically computing the controllable region of a Linear Hybrid Au- 
tomaton, with respect to a safety objective. We describe the techniques that are needed to effectively 
and efficiently implement a recently-proposed solution procedure, based on polyhedral abstractions 
of the state space. Supporting experimental results are presented, based on an implementation of the 
proposed techniques on top of the tool PHAVer. 



1 Introduction 

Hybrid systems are an established formalism for modeling physical systems which interact with a digital 
controller. From an abstract point of view, a hybrid system is a dynamic system whose state variables are 
both discrete and continuous. Typically, continuous variables represent physical quantities like tempera- 
ture, speed, etc., while discrete ones represent control modes, i.e., states of the controller. 

Hybrid automata [11] are the most common syntactic variety of hybrid system: a finite set of loca- 
tions, similar to the states of a finite automaton, represents the value of the discrete variables. The current 
location, together with the current value of the (continuous) variables, form the instantaneous description 
of the system. Change of location happens via discrete transitions, and the evolution of the variables is 
governed by differential equations attached to each location. In a Linear Hybrid Automaton (LHA), the 
allowed differential equations are in fact polyhedral differential inclusions of the type x£ P, where x is 
the vector of the first derivatives of all variables and P is a convex polyhedron. Notice that differential 
inclusions are non-deterministic, allowing for infinitely many solutions. 

We study LHAs whose discrete transitions are partitioned into controllable and uncontrollable ones, 
and we wish to compute a strategy for the controller to satisfy a given goal, regardless of the evolution 
of the continuous variables and of the uncontrollable transitions. Hence, the problem can be viewed as a 
two player game: on one side the controller, who can only issue controllable transitions, on the other side 
the environment, who can choose the trajectory of the variables and can take uncontrollable transitions 
at any moment. 

As control goal, we consider safety, i.e., the objective of keeping the system within a given region of 
safe states. This problem has been considered several times in the literature. In [6], we fixed some inac- 
curacies in previous presentations, and proposed a sound and complete semi-procedure for the problem. 
Here, we discuss the techniques required to efficiently implement the algorithms in lH . In particular, 
two operators on polyhedra need non-trivial new developments to be exactly and efficiently computed. 
Both operators pertain to intra-location behavior, and therefore assume that trajectories are subject to a 
fixed polyhedral differential inclusion of the type x G P. 

• The pre-flow operator. Given a polyhedron U CM", we wish to compute the set of all points that 
may reach U via an admissible trajectory. This apparently easy task becomes non-trivial when the 
convex polyhedron P is not (necessarily) topologically closed. This is the topic of Section [4j 
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• The may reach while avoiding operator, denoted by RWA™. Given two polyhedra U and V , the 
operator computes the set of points that may reach U while avoiding V , via an admissible trajectory. 
A fixpoint algorithm for this operator was presented in [6|. Here, we introduce a number of 
efficiency improvements (Section |5]l, accompanied by a corresponding experimental evaluation 
(Section|6]l, carried out on our tool PHAVer+, based on the open-source tool PHAVer ||9l . 

Contrary to most recent literature on the subject, we focus on exact algorithms. Although it is established 
that exact analysis and synthesis of realistic hybrid systems is computationally demanding, we believe 
that the ongoing research effort on approximate techniques should be based on the solid grounds provided 
by the exact approach. For instance, a tool implementing an exact algorithm (like our PHAVer+) may 
serve as a benchmark to evaluate the performance and the precision of an approximate tool. 

Related work. The idea of automatically synthesizing controllers for dynamic systems first arose in 
connection with discrete systems 1.17] . Then, the same idea was applied to real-time systems modeled 
by timed automata lfT6l . thus coming one step closer to the continuous systems that control theory usu- 
ally deals with. Finally, it was the turn of hybrid systems |[20l |T3l . and in particular of LHA, the very 
model that we analyze in this paper. Wong-Toi proposed the first symbolic semi-procedure to compute 
the controllable region of a LHA w.r.t. a safety goal 1201 . The heart of the procedure lies in the op&r- 
atOT flow Mvoid{U,V), which is analogous to our RWA"^. However, the algorithm provided in I^Ol for 
flowMvoid does not work for non-convex V, a case which is very likely to occur in practice, even if the 
original safety goal is convex. A revised algorithm, correcting such flaw, was proposed in [6 ]. 

Tomlin et al. and Balluchi et al. analyze much more expressive models [18,5], with generality in mind 
rather than automatic synthesis. Their Reach and Unavoid-Pre operators, respectively, again correspond 
to RWA"^. 

Asarin et al. investigate the synthesis problem for hybrid systems where all discrete transitions are 
controllable and the trajectories satisfy given linear differential equations of the type x = Ax [2|. The 
expressive power of these constraints is incomparable with the one offered by the differential inclusions 
occurring in LHAs. In particular, linear differential equations give rise to deterministic trajectories, 
while differential inclusions are non-deterministic. In control theory terms, differential inclusions can 
represent the presence of environmental disturbances. The tool d/dt [3 1, by the same authors, is reported 
to support controller synthesis for safety objectives, but the publicly available version in fact does not. 

2 Linear Hybrid Automata 

A convex polyhedron is a subset of M" that is the intersection of a finite number of half-spaces. A 
polyhedron is a subset of M" that is the union of a finite number of convex polyhedra. For a general (i.e., 
not necessarily convex) polyhedron G Q M", we denote by [[G]] C 2'* " the finite set of convex polyhedra 
comprising it. 

Given an ordered set X = {x\, . . . ,Xn} of variables, a valuation is a function v : X — M. Let Val{X) 
denote the set of valuations over X. There is an obvious bijection between Val{X) and M", allowing us to 
extend the notion of (convex) polyhedron to sets of valuations. We denote by CPoly{X) (resp., Poly{X)) 
the set of convex polyhedra (resp., polyhedra) on X. 

We use X to denote the set {x\ , . . . of dotted variables, used to represent the first derivatives, and 
X' to denote the set {^j , . . . , a:^} of primed variables, used to represent the new values of variables after a 
transition. Arithmetic operations on valuations are defined in the straightforward way. An activity over 
X is a differentiable function / : M-" — )• Val{X). Let Acts{X) denote the set of activities over X. The 
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derivative f of an activity / is defined in the standard way and it is an activity over X. A Linear Hybrid 
Automaton H = {Loc,X,Edg^,Edg^,Flow,Inv,Init) consists of the following: 

• A finite set Loc of locations. 

• A finite set X = {xi,...,Xn} of continuous, real-valued variables. A state is a pair (/,v) of a 
location / and a valuation v G Val{X). 

• Two sets Edg^. and Edg^^ of controllable and uncontrollable transitions, respectively. They describe 
instantaneous changes of locations, in the course of which variables may change their value. Each 
transition (/,jU,/') S Edg^^yjEdg^ consists of a source location I, a target location I', and a jump 
relation }JL G Poly{X{JX'), that specifies how the variables may change their value during the 
transition. The projection of on X describes the valuations for which the transition is enabled; 
this is often referred to as a guard. 

• A mapping Flow : Loc — CPoly{X) attributes to each location a set of valuations over the first 
derivatives of the variables, which determines how variables can change over time. 

• A mapping Inv : Loc — )• Poly{X), called the invariant. 

• A mapping Init : Loc — )• Poly{X), contained in the invariant,, which allows the definition of the 
initial states from which all behaviors of the automaton originate. 

We use the abbreviations S = Loc x Val{X) for the set of states and Edg = Edg^U Edg„ for the set of all 
transitions. Moreover, we let InvS = U/eLoc{0 ^ inv{l) and InitS = U/eLoc{0 ^ Init{l). Notice that InvS 
and InitS are sets of states. 



2.1 Semantics 

The behavior of a LHA is based on two types of transitions: discrete transitions correspond to the Edg 
component, and produce an instantaneous change in both the location and the variable valuation; timed 
transitions describe the change of the variables over time in accordance with the Flow component. 

Given a state s = {l,v), we set loc{s) = I and val{s) = v. An activity / G Acts{X) is called admissible 
from s if (i) /(O) = v and (ii) for all 5 > it holds f{5) G Flow{l). We denote by Adm{s) the set 
of activities that are admissible from s. Additionally, for / G Adm{s), the span of / in /, denoted by 
span{f,l) is the set of all values 5 >0 such that {l,f{5')) G InvS for all < 5' < 5. Intuitively, 5 is in 
the span of / iff / never leaves the invariant in the first d time units. If all non-negative reals belong to 
span{f,l), we write oo g span{f,l). 



Runs. Given two states s,s', and a transition e G Edg, there is a discrete transition s s' with source s 
and target s' iff (i) s,s' G Invs, (ii) e = {loc{s),^,loc{s')), and (Hi) {val{s),val{s')') G jJ., where val{s')' 
is the valuation over X' obtained from val{s') by renaming each variable x £ X onto the corresponding 

primed variable x' G X. There is a timed transition s s' with duration 5 G M-° and activity / G Adm{s) 
iff (i) s ^ Invs, (ii) 5 G span{f,loc(s)), and (Hi) s' = {loc{s),f{5)). For technical convenience, we admit 

timed transitions of duration zerc A special timed transition is denoted s — > and represents the case 
when the system follows an activity forever. This is only allowed if oo g span{f ,loc{s)). Finally, a joint 

transition s ^df^ / represents the timed transition s —4 {loc{s),f{5)) followed by the discrete transition 

{loc{s)J{5))^s'. 



' Timed transitions of duration zero can be disabled by adding a clock variable t to the automaton and requesting that each 
discrete transition happens when / > and resets f to when taken. 
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A run is a sequence 



: Sq > Sq -> Si > S^-^ S2...S„... (1) 



of alternating timed and discrete transitions, such that either the sequence is infinite, or it ends with a 

00/ 

timed transition of the type s„ — >. If the run r is finite, we define len{r) = w to be the length of the 
run, otherwise we set len{r) = 00. The above run is non-Zeno if for all 5 > there exists / > such that 
ll'j=o^j > 5- We denote by States{r) the set of all states visited by r. Formally, States{r) is the set of 
states {loc{si),fi{5)), for all < / < len{r) and all < 5 < 5,-. Notice that the states from which discrete 
transitions start (states s'j in ([T])) appear in States{r). Moreover, if r contains a sequence of one or more 
zero-time timed transitions, all intervening states appear in States{r). 



Zenoness and well-formedness. A well-known problem of real-time and hybrid systems is that defi- 
nitions like the above admit runs that take infinitely many discrete transitions in a finite amount of time 
(i.e., Zeno runs), even if such behaviors are physically meaningless. In this paper, we assume that the 
hybrid automaton under consideration generates no such runs. This is easily achieved by using an extra 
variable, representing a clock, to ensure that the delay between any two transitions is bounded from be- 
low by a constant. We leave it to future work to combine our results with more sophisticated approaches 
to Zenoness known in the literature (Hill. 

Moreover, we assume that the hybrid automaton under consideration is non-blocking, i.e., whenever 
the automaton is about to leave the invariant there must be an uncontrollable transition enabled. If a 
hybrid automaton is non-Zeno and non-blocking, we say that it is well-formed. In the following, all 
hybrid automata are assumed to be well-formed. 

Strategies. A strategy is a function a : 5 — )• l^'^'^-^^^-^^ \0, where _L denotes the null action. Notice 
that our strategies are non-deterministic and memoryless (or positional). A strategy can only choose a 
transition which is allowed by the automaton. Formally, for all s ^ S, if e ^ o{s) r\Edg^., then there 
exists s' ^ S such that s — )• s' . Moreover, when the strategy chooses the null action, it should continue 
to do so for a positive amount of time, along each activity that remains in the invariant. If all activities 
immediately exit the invariant, the above condition is vacuously satisfied. This ensures that the null 
action is enabled in right-open regions, so that there is an earliest instant in which a controllable transition 
becomes mandatory. 

Notice that a strategy can always choose the null action. The well-formedness condition ensures that 
the system can always evolve in some way, be it a timed step or an uncontrollable transition. In particular, 
even if we are on the boundary of the invariant we allow the controller to choose the null action, because, 
in our interpretation, it is not the responsibility of the controller to ensure that the invariant is not violated. 

We say that a run like ([T]l is consistent with a strategy a if for all < / < len{r) the following 
conditions hold: 

• for all 5 > such that I^Jq ^j<^< L)=o Sj, we have ± G a{{loc{si),fii5 - I^rJ, Sj))); 

• if Ci G Edg^ then a G a(5-). 

We denote by Runs{s, o) the set of runs starting from the state s and consistent with the strategy a. 



Safety control problem. Given a hybrid automaton and a set of states T C InvS, the safety control 
problem asks whether there exists a strategy a such that, for all initial states s G InitS, all runs r G 
Runs {s, a) it holds States (r) C T. 
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3 Solving the Safety Control Problem 

In this section, we recall the semi-procedure that solves the safety control problem for a given LHA 
and safe region. It is well known in the literature (see e.g. |[T5l |2|) that the answer to the safety control 
problem for safe set T C Inv is positive if and only if 



where CPre is the controllable predecessor operator, defined below. Since the reachability problem for 
LHA was proved undecidable iTHll . the above fixpoint may not converge in a finite number of steps. On 
the other hand, it does converge in many cases of practical interest, as witnessed by the examples in 
Section |6] 

For a set of states A, the operator CPre (A) returns the set of states from which the controller can 
ensure that the system remains in A during the next joint transition. This happens if for all activities 
chosen by the environment and all delays 5, one of two situations occurs: 

• either the systems stays in A up to time 5, while all uncontrollable transitions enabled up to time 
5 (included) also lead to A, or 

• some preceding instant 5' < 5 exists such that the system stays in A up to time 5', while all 
uncontrollable transitions enabled up to time 5' (included) also lead to A, and the controller can 
issue a transition at time 5' leading to A. 

In order to compute CPre{A) on LHA, the auxiliary operator RWA™ (may reach while avoiding) was 
proposed [6|. Intuitively, given a location / and two sets of variable valuations U and V, RWAf^{U,V) 
contains the set of valuations from which the continuous evolution of the system may reach U while 
avoiding V HU. 

For a set of states A and x £ {u,c}, let Pre™ (A) (for may predecessors) be the set of states where some 
discrete transition leading to A and belonging to Edg^ is enabled. We denote with A [i the projection of A 
on I, i.e. {v G Val{X) \ (/, v) G A}. As proved in [6], we then have that 



where = Pre^{A) [, and Q = Pre^{A) t/. 

Intuitively, the set Bi is the set of valuations u such that from state {l,u) the environment can take a 
discrete transition leading outside A, and C/ is the set of valuations u such that from {l,u) the controller 
can take a discrete transition into A. Then, using the RWA"^ operator, we compute the set of valuations 
from which there exists an activity that either leaves A or enters Bi, while staying in the invariant and 
avoiding C/. These valuations do not belong to CPre{A), as the environment can violate the safety goal 
within (at most) one discrete transition. 

Next, we show how to characterize RWA"^ in terms of simple operations on polyhedra. Let cl{P) 
denote the topological closure of a polyhedron P. Given two polyhedra P and F, the pre-flow of P w.r.t. 
F is: 



For a given location I e Loc, the pre-flow of P w.r.t. Flow{l) is the set of points that can reach P via a 
straight-line activity whose slope is allowed in /. For notational convenience, we use the abbreviation 
Py/'i for Py/'Flow{l), and for all polyhedra P and P' we define their boundary to be 



InifZvW .Tr\CPre{W) 




p^F = {x-5y\xeP,yeF,8>0]. 



bndry{P,P') = {cl{P)nP')U{Pncl{P')) 
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which identifies a boundary between two (not necessarily closed) convex polyhedra. Clearly, bndry(P, P') 
is not empty only if P and P' are adjacent to one another or if they overlap; it is empty, otherwise. 
Moreover, given a location I, entry{P,P'), the entry region between P and P' , denotes the set of points of 
the boundary between P and P' which can reach P' by following some straight-line activity in location /. 
In symbols: entry{P,P') = bndry{P,P') n P' ■/'i . The following theorem gives a fixpoint characterization 
of RWA"". 

Theorem 1 ([6 |) For all locations I and polyhedra U, V, it holds 

RWAf{U,V)=I^W .UU U U (pnentry{P,P')^i 



Pe[[v]]P'e[[w]] 



(2) 



The equation refines the under-approximation U by identifying its entry regions, i.e., the boundaries 
between the area which may belong to the result (i.e., V), and the area which already belongs to it (i.e., 
W). Figure [T] shows a single step in the computation of equation |2] for a fixed pair of convex polyhedra 
P in y and P' in W. Dashed lines represent topologically open sides. The dark gray rectangles represent 
convex polyhedra in W, while the light gray one is P. 



In Figure 1(a) the thick segment between P and P' represents bndry{P,P') and, in the example, is 
contained in P. Since P' is topologically open (denoted by the dashed line), the rightmost point of 
bndry{P,P') cannot reach P' along any straight-line activity. Being P' open, so is P' y^i, and its inter- 



section with P, namely entry{P,P'), does not contain the rightmost point of the boundary (Figure 1(b) i. 
Now, any point of P that can reach entry{P,P') following some activity can also reach P', and the set 
Cut = Pr\entry{P,P')^i contains precisely those points (Figure 1(c) and Figure 1(d) I. All these points 
must then be added to W, as they all belong to RWAf{U, V). 




P' 






Cut / 

'/ P 

// new 








(a) Initial input, 
with bndry{P,P') 
higiilighted. 



(b) Pre-flowof/^. 



(c) Entry region. 



(d) Pnew, Cut. 



(e) 

Flow{l). 



Figure 1 : Algorithm behavior. 

In our implementation, instead of computing the operator RWAf, we compute the dual operator 
SORf{Z, V) (for must stay or reach), containing the points which either remain in Z forever or reach V 
along a system trajectory that does not leave Z. The operator SORf can be defined as follows: 



SOR'^{Z,V)=RWAf{Z,V). 
As a consequence, we can compute CPre{A) as 

U {/} X (a t, nSORf (M' ii U (A U \B,) , C, U hi^,] 

leLac 



(3) 
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From ([3]), we obtain a fixpoint characterization of the operator SOR] 



SORf{Z,V)^RWAf{Z,V)=llW .ZU [j [j {Pnentry{P,P')^i) = 

= vW.Zn [j U {Pr\entry{P,P')^i) =VW .Z\ \J \J {Pr\entry{P,P')^i) . (4) 
The following two sections show how to effectively and efficiently compute fixpoint Q. 

4 Exact Computation of Pre-Flow 

As seen in the previous section, one of the basic operations on polyhedra that are needed to compute 
SOR^ is the pre-flow operator ^Z. It is sufficient to compute P^/F for convex P and F, for two reasons: 
First, we always have F = Flow{l), for a given location /, and Flow{l) is a convex polyhedron by as- 
sumption. Second, (Pi UP2)^F = {P\^F) U {P2^F), so the pre-fiow of a general polyhedron is the 
union of the pre-flows of its convex polyhedra. 

The pre-fiow of P w.r.t. F is equivalent to the post-flow of P w.r.t. —F, defined as: 

P/-P = {x + 5-y \xeP,y£-F,d> 0}. 

The post-flow operation coincides with the time-elapse operation introduced in lITOll for topologically 
closed convex polyhedra. Notice that for convex polyhedra P and F, the post-flow of P w.r.t. F may not 
be a convex polyhedron: following [2], let P C be the polyhedron containing only the origin (0, 0) and 
let P be defined by the constraint y > 0. WehaveP/^P = {{0,0)}U{{x,y) £R^\y>0}, which is not a 
convex polyhedron (although it is a convex subset of M?). The Parma Polyhedral Library (PPL, see H), 
for instance, only provides an over-approximation P/'pplP of the post-flow P/^F, as the smallest convex 
polyhedron containing P/^F. 

On the other hand, the post- flow of a convex polyhedron is always the union of two convex polyhedra, 
according to the equation 

P/P=PU(P/loP), 

where P /%.qF is the positive post-flow of P, i.e., the set of valuations that can be reached from P via a 
straight line of non-zero length whose slope belongs to F . Formally, 

P/^oF = {x + 5-y\x(^P,y(^F,5>0]. 

Hence, in order to exactly compute the post-flow of a convex polyhedron, we show how to compute the 
positive post-flow. 

Convex polyhedra admit two finite representations, in terms of constraints or generators. Libraries 
like PPL maintain both representations for each convex polyhedron and efficient algorithms exist for 
keeping them synchronized dim. The constraint representation refers to the set of linear inequalities 
whose solutions are the points of the polyhedron. The generator representation consists in three finite 
sets of points, closure points, and rays, that generate all points in the polyhedron by linear combination. 
More precisely, for each convex polyhedron PCM" there exists a triple (V,C,P) such that V , C, and R 
are finite sets of points in M", and a: G P if and only if it can be written as 



vev ceC i-eR 



(5) 
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where all coefficients «,.> and 7,- are non-negative reals, Y^vev ^n- + Lcec = ^, and there exists v £V 
such that ttv > 0. We call the triple {V,C,R) a generator for P. 

Intuitively, the elements of V are, the proper vertices of the polyhedron P, the elements of C are vertices 
of the topological closure of P that do not belong to P, and each element of R represents a direction of 
unboundedness of P. 

The following result shows how to efficiently compute the positive post-flow operator, using the 
generator representation. 

Theorem 2 Given two convex polyhedra P andF, let {Vp,Cp,Rp) be a generator for P and {Vf,Cf,Rf) 
a generator for F. The triple (Vp © Vf , Cp U V/> , /?p U Vf U C/? U /?f ) is a generator for P /Iq F, where © 
denotes Minkowski sum. 

Proof Let z € P /loF, we show that there are coefficients tty, jS^ and 7^ such that z can be written as Q, 
for V = Vp®Vf,C = CpUVp, and R = RpUVfUCfURf. 

By definition, there exist x £ P, y & F, and 5 > such that z = x + 5y. Hence, there are coefficients 
a^,, P^, and witnessing the fact that x € P, and coefficients a^, pc, and 'fr witnessing the fact that 
y ^ F. Moreover, there is / G Vp and j G Vp such that af > and aj > 0. Let e = minjaf , 5aJ} and 
notice that £ > 0. It holds 

a- -i + d- aj • j = (af - £)i + ei + {5 ■ a^j - e)j + ej = e{i + j) + (af - s)i + (5 • aj - s)j. 

Hence, 

vgV/i ceCp reRp \veVp ceCp reRp j 

= £(/ + ;•)+ ((«f-e)/+ £ a;-v+£j8,'^-c) + 

V veVp\{i\ ceCp ) 

((5-a> -s);+£7^T+ £ <.v+ £ /3>'.c+ £ 7?.r ) • 

\ reKp vGVf\{7} ceCp reRp ) 

One can easily verify that: (i) all coefficients are non-negative; (ii) the sum of the coefficients of the 
points in V and C is 1; (Hi) there exists a point in V , namely Z + j, such that its coefficient is strictly 
positive. 

Conversely, let z be a point that can be expressed as for V = Vp © W, C = Cp U Vp, and R = 
RpUVfUCfURf- We prove that z€P /la Fby identifying x £ P, y £ F and 5 > such that z = x + 5y. 
Notice that (a) Y.veVp®Vp + 'LceCpUVp j^c = L and (b) there exists v* G Vp © Vp such that ttv* > 0. We 
set 

•«= L «v'i+v2-vi+ £ /3c-c+£7,-r. 

vieVp ceCpUVp reRp 

v2eVp 

We claim that x £ P: first, x is expressed as a linear combination of points in (yp,Cp,Rp); second, all 
coefficients are non-negative; third, the sum of the coefficients of the points in Vp and in Cp is 1, due to 
(a) above; finally, since tty* > 0, there is a point in Vp whose coefficient is positive. Then, we set 

5= £ av+ £ 7„ and 3^ = i • ( £av,+v2-v2+ £ Yr-A- 

veVpeVp reVpUCp " \ViGV> reVpUCpURp ) 

vieVp 
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Since a^* > 0, we have 5 > 0. We claim that y G F: first, j is a linear combination of points in 
{Vp ,Cf ,Rf)\ second, all coefficients are non-negative; third, the sum of the coefficients of the points 
in Vf and in Cf is 1, due to our choice of 5 ; finally, since a,,* > 0, there is a point in Vf whose coefficient 
is positive. 

5 Computing SOE^ 

In this section, we show how to efficiently compute 5C?/?^(Z, V), given two polyhedra Z and V . Fixpoint 
equation Q can easily be converted into an iterative algorithm, consisting in generating a (potentially 
infinite) sequence of polyhedra (W„)„gN, where Wq = Z and 

Wi+i=Wi\ U U {pr\entry{P,P')^i). (6) 

Theorem 4 in ||6| proves that such sequence converges to a fixpoint within a finite number of steps. The 
naive implementation of the algorithm is done by an outer loop over the polyhedra P G [[V]] and an inner 
loop over P' G [[W,]] . As a first improvement, we notice that each iteration of the outer loop removes from 
Wi a portion of P G [[V]] . Hence, the portion of P that is not contained in Wi is irrelevant, and we may 
replace Q with: 

Wi+i=Wi\ U U {pf^entry{P,P')^i). (7) 

Pep/iCWiP'eWii 

Moreover, we can avoid the need to intersect Wj with V at each iteration, by starting with Wq = Z\'V , 
setting: 

W^/+i=W^'\ U [j_{Pr\entry{P,P')/^, (8) 

P^lKiP'epr,]] 

and noticing that Wi = W![JV for all / > 0. As a consequence, SOEf (Z, V) = lim,-^oo W,- = V U hm^^oc W,'. 
The implementation described so far is called the basic approach in the following. 

5.1 Introducing Adjacency Relations 

Given two disjoint convex polyhedra P and P' , we say that they are adjacent if bndry{P,P') ^ 0. In 
the basic approach, the inner loop is repeated for each P' G [[IV,]] , even if convex polyhedra P' that are 
not adjacent to P result in an empty entry {P,P') and are therefore irrelevant. Hence, we define the 
binary relation of external adjacency Extj, which associates a polyhedron P G [[W^]] with its entry regions 
entry{P,P') / 0, for all P' G [[W;]]. Formally, 

Exti = {{P,entry{P,P')) \ P G [[Wi]],P' G [[F,]], and entry{P,P') / 0}. (9) 

Once Exti is introduced and properly maintained, it also enables to optimize the outer loop. Rather than 
P G [[IV]], it is enough to consider all P which are associated with at least one entry region in Exti, i-e-> 
all P such that {P,R) G Exti for some R. Summarizing, using Exti we can replace ([8]) with 



Wi+,=Wi\ U {pr\R^i). 

(P,R)eExti 



(10) 
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Clearly, some extra effort is required to initialize and maintain Exti. Initialization is performed by 
simply applying (|9]l. Regarding maintenance, we briefly discuss how to efficiently compute Exti^i. 



Algorithm 1: SOR''{Z,V,F) 



Algorithm 2: Updlnt{lnt , P, Candidates) 



Input: Poly Z, V, CPoly F 
Output: PolySOR'^{Z,V,F) 
foreach CPoly P e [[Z]] do 

/nf„„,, -i— UpdInt{Int„„„P,Z); 
E -s— PotentialEntry{P,Int„c„.,F); 
Ext,„„ -s— UpdExt{Ext„„„,P,E ,F,V); 

while Ext„,„: 7^ do 

EXtgl^j i EXtii^,^y, 

Int,M ^ Int„„,; 
Ext„„, ^ 0; 

foreach P s.t. (FR) e Ext^ do 
B^\J{R\ (FR) (^Exti); 
Cut^Pn{B^i); 
if Cut then 

P„,,,^P\Cut- 
foreach F e [[f„g„]] do 
|_ Int,„,, -s- UpdInt{Int„,,,,P',P„ew); 

foreach F s.t. (FF) e Mm do 
/«f,„,, ^ UpdInt{Int,„,,,P',P„ewy, 
Ext„„, ^ UpdExt{Ext„„,,F ,Cut,F,V) 

Int„,,, ^ Int,„,, \ { (f, Q) e /nfo,rf}; 



return {P I {P,F) eint,,,,,}; 



Input: Set of CPoly pairs /nf; CPofy P; 

Poly Candidates; 
Output: Set of CPoly pairs /nf; 

/nf ^/nfU{(P,0)}; 

foreach CPoly P' e [Cant/Zt/afei]], with P' ^ P 
do 

ifWryCP,/"') T^Sthen 

|_ Int^IntU{{P,P')}; 

return /nf ; 



Algorithm 3: UpdExt{Ext, P, Candidates, F,V) 



Input: Set of CPoly pairs Exf; CPoly P,F; 

Poly Candidates ,V \ 
Output: Set of CPoly pairs Ext; 

ifP^y then 

foreach CPoly P' e lCandidates]\ do 

/? ^enfry(P,P'); 
if/? 7^0 then 

|_ Ext ^ ExtU{{P,R)}; 



return Ext; 



During the i-th iteration, certain convex polyhedra P G [[VK,]] are cut by removing the points that may 
directly reach a convex polyhedron P' £ [[W,]] . These cuts may expose other convex polyhedra in [[W,]] , 
that were previously covered by P. These exposed polyhedra will be the only ones to have associated 
entry regions in Extj+i. In order to be exposed by a cut made to P, a convex polyhedron must be adjacent 
to P. Hence, in order to compute Exti^i it is useful to have information about the adjacency among the 
polyhedra in [[Wi]] . To this aim, we also introduce the binary relation of internal adjacency Inti between 
polyhedra in [[W,]] : 

Inti = { (A , P2) \Pi,P2^ W,]] ,Pi^P2 and bndry{Pi , P2) ©} • (H) 

The computation of Into requires the complete scan of all Pi,P2 G [[W^o]]> while /nfi+i obtained incre- 
mentally from Inti and Exti. Given {P,R) € Exti, let Cut = Pn {R^i ) and P,,^,,. = P\ Cut. Notice that 
P„ew may be non-convex, being the result of a set-theoretical difference between two convex polyhedra. 
To obtain Inti^i, we add to Inti the pairs of adjacent convex polyhedra (A, A) such that either (i) both 
Pi and P2 belong to [[PHew]], or (ii) one of them belongs to [[Pnew]] and the other is adjacent to P according 
to Inti. Moreover, once P^ew replaces P in W,+i, it is necessary to remove all the pairs (P,P') from Exti 
and Inti. 

Algorithms [T]j3] represent a concrete implementation of the technique described so far. In Algo- 
rithm [TJ Ext^ and Int^ represent the old adjacency relations, while Ext„^,^. and Int,„„. the new ones. The 
first "for each" loop initializes both relations, followed by a "while" loop that iterates until the external 
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adjacency relation is empty. Maintenance of the adjacency relations is delegated to Algorithms |2] and 
[3] that receive as input the relation they have to update, the convex polyhedron P whose adjacencies 
need to be examined, and a general polyhedron Candidates containing the convex polyhedra that may be 
adjacent to P. Additionally, Algorithm |3] also needs to know the input set V (region to be avoided) and 
the location flow F = Flow{l). 

The auxiliary function PotentialEntry returns the potential entry region for P. In this version, we 
simply have 

PotentialEntry {P, Into, F) =Z. 
This will be improved in Section [5!2| 



5.2 Further Improving the Performance 

Recall that PotentialEntry {P, Into, F) returns Z, regardless of its inputs. Experimental evidence (see 



Section 6.2 1 shows that it is often the case that the portion of Z which is relevant to computing the entry 
regions of a given a convex polyhedron P is much smaller than the whole set Z. This often leads to a 
large number of attempts to compute entry regions which end up empty. To avoid this, for each P in 
[[Z]] we proceed as follows. We first collect P and all convex polyhedra in [[Z]] that are adjacent to it: 
Padj = {P} U {P' I {P,P') G Into}. Then, we compute 

PotentialEntry{P,Into,F) = {P /■ F) \Padj- 

The resulting polyhedron contains all and only the convex polyhedra of Z which, if adjacent to P, give 
rise to a non-empty entry region. 



6 Experiments with PHAVer+ 

We implemented the three algorithms described in the previous section on the top of the open-source 
tool PHAVer jOl- In the following figures, the basic approach (Section [5]) is denoted by Basic, the ad- 



jacency approach (Section p7T] ) by Adj, and the local adjacency approach (Section p.2| ) by Local. We 
show some results obtained by testing our package on two different examples: the Truck Navigation 
Control (TNC) and the Water Tanks Control (WTC). The experiments are divided into two distinct cat- 
egories: the macro analysis shows the performance of the three implementations when solving safety 
control problems, while the micro analysis shows the performances of a single call to the SORf{Z,V) 
operator. A binary pre-release of our implementation, that we call PHAVer-i-, can be downloaded at 
http://people.na.infn.it/nifaella/phaverplus. The experiments were performed on an Intel 
Xeon (2.80GHz) PC. 

6.1 Macro Analysis 

We now describe in detail the two examples used to evaluate the performance of our package. 



Truck Navigation Control. This example is derived from (E), where the tool HoneyTech is pre- 
sented, as an extension of HyTech [12J for the automatic synthesis of controllers. Consider an au- 
tonomous toy truck, which is responsible for avoiding some 2 by 1 rectangular pits. The truck can take 
90-degree left or right turns: the possible directions are North-East (NE), North-West (NW), South-East 
(SE) and South-West (SW). One time unit must pass between two changes of direction. The control goal 
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Figure 2: TNC modeled as a Hybrid Automaton. 



consists in avoiding the pits. Figure [2] shows the hybrid automaton modeling the system: there is one 
location for each direction, where the derivative of the position variables (x and y) are set according to 
the corresponding direction. The variable t represents a clock (i = 1) that enforces a one-time-unit wait 
between turns. 

We tested our implementations on progressively more complex control goals, by increasing the num- 



ber of obstacles. Figure 3(a) compares the performance of the three implementations of the algorithm 
(solid line for local, dashed line for adjacency, dotted line for basic and dotted-dashed line for the perfor- 
mance reported in [8]). We were not able to replicate the experiments in [8|, since HoneyTech is not 
publicly available. Notice that the time axis is logarithmic. 

Because of the different hardware used, only a qualitative comparison can be made between our 
implementations and HoneyTech: going from 1 to 6 obstacles (as the case study in lH), the run time of 
HoneyTech shows an exponential behavior, while our best implementation exhibits an approximately 
linear growth, as shown in Figure 3(a)[ where the performance of PHAVer-i- is plotted up to 9 obstacles. 
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(a) Performance for TNC. 



(b) System schema for WTC. 



(c) Performance for WTC. 



Figure 3: Schema and performance for the two examples. 
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Water Tank Control. Consider the system depicted in Figure 3(b) where two tanks — A and B — 
are linked by a one-directional valve mid (from A to B). There are two additional valves: the valve in to 
fill A and the valve out to drain B. The two tanks are open-air: the level of the water inside also depends 
on the potential rain and evaporation. It is possible to change the state of one valve only after one second 
since the last valve operation. 

The corresponding hybrid automaton has eight locations, one for each combination of the state 
(open/closed) of the three valves, and three variables: x and y for the water level in the tanks, and t 
as the clock that enforces a one-time-unit wait between consecutive discrete transitions. Since the tanks 
are in the same geographic location, rain and evaporation are assumed to have the same rate in both 
tanks, thus leading to a proper LHA that is not rectangular |[T3l . 

We set the in and mid flow rate to 1, the out flow rate to 3, the maximum evaporation rate to 0.5 and 
maximum rain rate to 1, and solve the synthesis problem for the safety specification requiring the water 
levels to be between and 8. Figure 3(c)| shows the run time of the three versions of the algorithm on 
WTC. 



6.2 Micro Analysis 

In this subsection we show the behavior of individual calls to SORf{Z,V), implemented in the three 
different ways described in Section [5] The evaluation of the efficiency of the three versions is carried out 
based on the number of comparisons that the three algorithms perform in order to identify the boundaries 
between polyhedra in Z and polyhedra in PotentialEntry , with respect to the size of the input. We choose 
to highlight the number of computed boundaries because the idea that led us to the realization of the final 
version of the algorithm is precisely to avoid unnecessary adjacency checks. 




□ Adj 
A Basic 



50 100 ISO 1 200 3000 4000 

llzll + lMl llzll + lMl 



Figure 4: Run time (in sec.) and number of boundary checks of the three algorithms for SOR^ w.r.t. the 
size of the input. 

Figure|4]shows the run time and the number of boundary computations made by the three approaches. 
As expected, the number of calls made by the basic algorithm is higher than those made by the adjacency 
approach, which in turn is higher then those made by the local adjacency algorithm. This is reflected in 
the execution times of the three procedures. One also notices a certain instability in the case of the basic 
algorithm, due to the fact that in some instances of the problem, even with small inputs, the algorithm 
can cut an individual polyhedron in many parts: this dramatically increases the size of the sets Z and Z in 
the next steps and consequently the number of comparisons required. This instability is held much more 
under control with the introduction of the adjacency relations. Note that in the local version the number 
of comparisons required is much lower: we can easily explain this fact, recalling that PotentialEntry in 
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the adjacency version returns the whole Z, forcing Algorithm |3] to perform |Z| iterations of its "foreach" 
loop. 
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Figure 5: Size of PotentialEntry in the Adj and the Local algorithms. 

Figure [5] shows, for the same inputs, the relationship between the size of PotentialEntry in the basic 
and in the adjacency versions (i.e., Z) and in the local version: the ratio is 1 to 10, which reduces 
drastically the number of checks, and consequently the overall run time. 
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